Professional Phishers and Their Habits

Wednesday 5 October 15:00 - 15:30, Green room

Cristian Dantus (Bitdefender)Marius Tibeica (Bitdefender)

Phishing is a widespread phenomenon that is steadily growing. Professional individuals use advanced tools like phishing kits and automated mailers to cause substantial financial losses. There are even Facebook groups where they share mail lists and compromised servers or GitHub repositories with toolkits.

Phishers' methods may be growing in sophistication, but we can use some of their own tools — such as various tracking services that check the impact of their phishing campaigns — to find ways to identify them.

The first part of this paper aims to present the specifics of some of the most prolific phishers and fraudsters. We will analyse their preferences — what institutions, services or industries they choose to impersonate, whether they have servers hosted only in certain countries, whether they prefer certain TLDs. We will analyse their technical competencies — whether they prefer to hack websites or create new domains, whether the templates they use are simple or whether they use HTML obfuscation techniques (JavaScript encoding, images that replace words, frames), and whether they block the IPs of security companies. We will also learn if they are careful about their real identity or if we can find out who they are.

The second part of the paper is focused on offering a possible solution for protection against phishing at browser level. We will see how generating a blacklist of tracking IDs used in malicious websites fares in detecting new phishing campaigns and the limits of this approach. We will also perform an analysis of the identified phishers, which includes the average usage time of the same ID, variation of phishing templates, frequency of new phishing domains launched, IPs and TLDs analysis, and so on.

Cristian Dantus

Cristian Dantus joined the Bitdefender team in 2015 as an online threat analyst. His research focuses mainly on phishing attacks. He has vast experience in data analysis, studying fraudulent websites and phishing trends.

Marius Tibeica

Marius Tibeica was born in Iasi, Romania, in 1987. He joined Bitdefender in 2008, while still a student, and is now leading the Online Threats and Web Filtering team. He is a science enthusiast and likes to build tools that help gaming communities.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.